When process_cond() failed, it freed the token but didn't reset the
arg->op.op to NULL. So it tried to free the arg->op.op again from
free_arg() from the caller and resulted in a double free.
Signed-off-by: Namhyung Kim <namhyung@xxxxxxxxxx>
---
src/event-parse.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/event-parse.c b/src/event-parse.c
index 9f0522c..c327917 100644
--- a/src/event-parse.c
+++ b/src/event-parse.c
@@ -2375,8 +2375,11 @@ process_op(struct tep_event *event, struct tep_print_arg *arg, char **tok)
/* it will set arg->op.right */
type = process_cond(event, arg, tok);
- if (type == TEP_EVENT_ERROR)
- free(token);
+ if (type == TEP_EVENT_ERROR) {
+ /* arg->op.op (= token) will be freed at out_free */
+ arg->op.op = NULL;
+ goto out_free;
+ }
} else if (strcmp(token, ">>") == 0 ||
strcmp(token, "<<") == 0 ||
--
2.45.2.741.gdbec12cfda-goog
|